Diagnosing the Diagnostics: Domain Summary

This is the second part of a series about Google's Safebrowsing Diagnostics page.

The first section of the diagnostics page (What is the current listing status for my site?) displays a summary of the status of the domain. It indicates whether the domain is currently listed in Google's Safebrowsing malware list. It may also list the number of times in the recent past that the domain has been added to and removed from the malware list.

Both these simple facts can be somewhat surprising...

A user or webmaster may see a malware warning in their browser when visiting a page. But the diagnostic page for that site may state that the domain is not currently on the malware list. This is usually a Cross-Site Warning. The domain is almost certainly infected with malware because users' browsers blocked requests to other malicious domains.

Webmasters may also find that their site has been added to the malware list numerous times. This may be an indication that the webmaster is cleaning up the infection on the server without closing all vulnerabilities. When Google's scanners process the malware review, the site is temporarily clean, so it is removed from the malware list. But because the server is still vulnerable, malicious content may be re-injected within hours. Google's malware scanners will quickly detect this and put the site back on the malware list.

Finally, for very new infections, the diagnostics page may be temporarily out of date. Google immediately flags sites found to be malicious and sends email to the webmasters. An alert webmaster who quickly notices that their site has been flagged may find that the diagnostics page lists their site as clean or even completely unscanned. The diagnostics page will update shortly - usually within a couple of hours.

The next post will deal with the most important section of Google's Safebrowsing Diagnostics page: What happened when Google visited this site?

Diagnosing the Diagnostics series:

• Background
• Domain Summary
• More to come...

Diagnosing the Diagnostics: Background

This is the first part of a series about Google's Safebrowsing Diagnostics page.

Google's Safebrowsing Diagnostics pages are a valuable source of information for webmasters. Unfortunately the information can sometimes be difficult to understand. Hopefully the next few posts will help clarify - I've been struggling with them for the past couple of months since they're fairly complex. Bear with me and jump in with any questions you may have.

Before we get to the diagnostics pages, we'll need to understand how malware works. Malware distributors have created sophisticated infrastructures. Typically, they use three types of servers and domains:

• Distribution Servers: Malware distributors usually have a set of servers that they control and use as a base of operations. The servers host malware tools and exploits and are usually on a network where they are unlikely to be shut down. They often don't have domain names associated with them, only IP addresses.
• Compromised Domain: Malware authors compromise legitimate domains and insert malicious scripts. The owner of the website usually doesn't realize this has happened. Most of the entries in Google's Safebrowsing malware list are these sorts of servers that have unintentionally become dangerous.
• Intermediary Domains: Between the distribution servers and the compromised domains there are often one or more intermediary domains. Malware authors establish domains to obfuscate their malicious code. For instance, they may use a common domain name with a slight misspelling, like gooqleanalytics (notice the Q), hoping that webmasters won't spot the typo.

The structure of Google's Safebrowsing Diagnostics pages mirrors these types of servers and domains. Most flagged domains will only be one type of server eg. compromised domains usually aren't also distribution servers.

With that background, you may already be able to understand the diagnostics pages a bit better. In future posts we'll dive into the details of each section of the diagnostics page.

Diagnosing the Diagnostics series:

• Background
• Domain Summary
• More to come...